Click here to read Part I: AI Offense in the Cyber Battlefield
AI-Powered Defensive Strategies
While there are novel approaches to using AI in a malicious manner, some of these techniques can be used to defend networks. There are a number of approaches where both traditional AI and GenAI will provide an edge to defenders in the battle for cyberspace. It is important to point out that while we may use AI, it must be a tool and not a solution unto itself. We must keep humans in the loop in charge of critical functions that may impact our mission.
Advanced Threat Detection
When we look at our network we need to move past the traditional signature-based detections and find unknown anomalies. If the malicious actors are going to use new techniques and zero-day attacks we need to have a near real-time ability to determine if something may be malicious. We achieve this through behavior analysis, which is based on certain activities raising the potential of something being malicious. Things such as attempting to access memory or becoming network aware when an application typically doesn’t need that functionality, may not be identified by a signature-based detection system, but an AI system using ML could make connections and associations.
As we adopt new frameworks and concepts like Zero Trust, which allows network operators more flexibility and granularity of control of resources and data, we are also exponentially increasing the data that defenders must analyze to accurately defend these new network models. Log and alert analysis can rapidly overwhelm cyber defense analysts within the Security Operations Center(SOC) if left to manual review. In the new dynamic environments, allowing a system using GenAI to update your alerts and prevention mechanisms in near real time is an incredible boon. The system would be able to self-defend within banded limits set by cyber defenders at a scale and speed a human analyst cannot hope to match. Then only the behavior that may exceed those limits is passed to the human defenders for further action.
Intelligent Incident Response
This leads into the next stage of SOC actions of what to do after a threat has done something malicious in your network. This usually implies they have bypassed your defense mechanisms in some manner. Now we have what we would term an “incident” and move into incident response. Often, this requires significant manual analysis, since the expectation is that our automated analysis tools have already failed or been bypassed.
Since modern attacks can be multifaceted and take advantage of various applications’ vulnerabilities to achieve the malicious actors’ end goals, we will need to review logs and alerts from multiple sources that may all be providing data in different and incompatible formats. Using neural networks, the ML will be able to take disparate or seemingly unconnected data points and draw correlations a human may never see. Again, based on shear volume AI will be an incredible aid, but one of the best-known secrets of GenAI is Natural Language Processing (NLP). This process allows the GenAI system to understand human speech or text input in a natural way. So instead of having to understand the log or database structure and build queries in that language, typically a form of Structured Query Language (SQL) that is dependent on a specific database application, we can just ask a standard question. We could simply ask AI to provide all actions performed by a specific user within a given time period. The system would be able to correlate our statement and generate the necessary queries in the correct structured language or languages to analyze the request. It can then provide you with feedback in your natural language. Most of us see this today in our favorite Chat AI, like ChatGPT. This not only overcomes analysts not knowing SQL, but it can also overcome human language barriers and translate between foreign languages and applications often written in English.
Our ability to use AI to cover scope and depth at speed and scale during an incident response is a huge advantage against malicious actors.
Automated Vulnerability Management
AI is also going to be able to help us with our vulnerability management efforts. Vulnerability management is the process of determining what vulnerabilities exist on our network or on our systems. It is most often done by scanning every system in our network or reviewing application inventory databases against patches and fixes provided by the application vendors. Part of this process requires us to determine the severity of each vulnerability, the priority of patching in line with our mission or operational tempo. We have to balance the defense of the network with the availability of the network resources.
AI can help us determine how the network functions and the best times to apply patches. It can also be configured to determine if a patch can be applied without downtime and in what priority. By analyzing network traffic, use-cases, and visible application uptimes, the AI system would be able to understand the critical systems, optimal times and frequency to apply those patches. While on the surface, these may seem simplistic in a large network or system of systems, there can be hundreds of thousands of variables to consider during normal change management and out-of-cycle patching.
There may also be potential risks in applying patches and the AI can provide recommendations on other remediations or mitigations to put in place to compensate for the unpatched systems. We often see this in unique devices or applications that may not be upgradable for large number of reasons, but the functions they provide are critical to your organization.
The AI Cybersecurity Arms Race
The battle between the “good guys” and the “bad guys” is ongoing. It is an ever-escalating game of cat and mouse, and those who innovate these new technologies, not just first, but correctly, will win, for a time. It is often said that the attacker only has to be right once, but the defenders have to be right every time. And that is true to a point. What AI will allow us to do is cover more ground, faster and in more depth than before.
Technology, specifically within the AI field is advancing rapidly, and there is very little time between discovery and implementation of these advances. We need to understand that there is a feedback loop with many AI solutions and using AI to combat AI is a necessary tool in our arsenal.
This isn’t a question of whether or not your organization should adopt AI cybersecurity solutions, but how and when they will adopt them. AI is already in your networks and mission set. Average users will demand access to tools to aid in their work and you will need to provide them. This will often mean introducing more AI solutions into your networks.
Adversaries will continue to modernize their techniques using AI to mature and hasten their attacks. We need to defend in kind. This is a war between attackers and defenders and AI should be seen as a tool not an objective. Early adoption will provide for better understanding long term, use acceptance of these technologies (which can feel invasive), and a more agile defensive posture.
Conclusion
The rise of AI in cybersecurity presents a double-edged sword. While malicious actors are leveraging AI, particularly GenAI, to enhance their offensive capabilities through rapid code generation, sophisticated phishing attacks, and potentially autonomous exploitation agents, defenders can harness the same technologies to bolster their defenses. AI-powered solutions offer advanced threat detection, intelligent incident response, and automated vulnerability management, enabling faster, more comprehensive security measures. As the cyber battlefield evolves, the key lies in strategically integrating AI as a powerful tool while maintaining human oversight to ensure effective and ethical cybersecurity practices.
